diff --git a/build_debian.sh b/build_debian.sh index 01a10d78d6..dd98b052e1 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -468,7 +468,7 @@ rm /files/etc/ssh/sshd_config/ClientAliveCountMax touch /files/etc/ssh/sshd_config/EmptyLineHack rename /files/etc/ssh/sshd_config/EmptyLineHack "" set /files/etc/ssh/sshd_config/ClientAliveInterval 300 -set /files/etc/ssh/sshd_config/ClientAliveCountMax 1 +set /files/etc/ssh/sshd_config/ClientAliveCountMax 0 ins #comment before /files/etc/ssh/sshd_config/ClientAliveInterval set /files/etc/ssh/sshd_config/#comment[following-sibling::*[1][self::ClientAliveInterval]] "Close inactive client sessions after 5 minutes" rm /files/etc/ssh/sshd_config/MaxAuthTries diff --git a/rules/sonic-fips.mk b/rules/sonic-fips.mk index e5b6e4ad35..8303918e2e 100644 --- a/rules/sonic-fips.mk +++ b/rules/sonic-fips.mk @@ -1,6 +1,6 @@ # fips packages -FIPS_VERSION = 0.3 +FIPS_VERSION = 0.4 FIPS_OPENSSL_VERSION = 1.1.1n-0+deb11u3+fips FIPS_OPENSSH_VERSION = 8.4p1-5+deb11u1+fips FIPS_PYTHON_MAIN_VERSION = 3.9 diff --git a/src/openssh/Makefile b/src/openssh/Makefile index ec7942fe7e..29df8e7629 100644 --- a/src/openssh/Makefile +++ b/src/openssh/Makefile @@ -23,7 +23,6 @@ ifeq ($(CROSS_BUILD_ENVIRON), y) patch -p1 < ../patch/cross-compile-changes.patch dpkg-buildpackage -rfakeroot -b -us -uc -a$(CONFIGURED_ARCH) -Pcross,nocheck -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR) else - sudo http_proxy=$(http_proxy) apt-get -y build-dep openssh dpkg-buildpackage -rfakeroot -b -us -uc -j$(SONIC_CONFIG_MAKE_JOBS) --admindir $(SONIC_DPKG_ADMINDIR) endif popd diff --git a/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch b/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch new file mode 100644 index 0000000000..3eb04bc4e0 --- /dev/null +++ b/src/openssh/patch/0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch @@ -0,0 +1,48 @@ +From 2bc575c74aa811a60682e989d07675b8e7ac8a12 Mon Sep 17 00:00:00 2001 +From: Saikrishna Arcot +Date: Thu, 13 Oct 2022 13:45:17 -0700 +Subject: [PATCH] Revert commit 69334996: make + sshd_config:ClientAliveCountMax=0 disable the connection-killing behavior + +SONiC (and others) use this feature to kill connections when the session +is idle after some duration of time. OpenSSH 8.2 defined setting +ClientAliveCountMax=0, but by doing so, broke the current use case of +it. + +Signed-off-by: Saikrishna Arcot +--- + serverloop.c | 3 +-- + sshd_config.5 | 3 --- + 2 files changed, 1 insertion(+), 5 deletions(-) + +diff --git a/serverloop.c b/serverloop.c +index 48d936d..1b30498 100644 +--- a/serverloop.c ++++ b/serverloop.c +@@ -184,8 +184,7 @@ client_alive_check(struct ssh *ssh) + int r, channel_id; + + /* timeout, check to see how many we have had */ +- if (options.client_alive_count_max > 0 && +- ssh_packet_inc_alive_timeouts(ssh) > ++ if (ssh_packet_inc_alive_timeouts(ssh) > + options.client_alive_count_max) { + sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); + logit("Timeout, client not responding from %s", remote_id); +diff --git a/sshd_config.5 b/sshd_config.5 +index a555e7e..a5815d3 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -545,9 +545,6 @@ is set to 15, and + .Cm ClientAliveCountMax + is left at the default, unresponsive SSH clients + will be disconnected after approximately 45 seconds. +-Setting a zero +-.Cm ClientAliveCountMax +-disables connection termination. + .It Cm ClientAliveInterval + Sets a timeout interval in seconds after which if no data has been received + from the client, +-- +2.25.1 + diff --git a/src/openssh/patch/series b/src/openssh/patch/series index a645ad2583..e320bcab21 100644 --- a/src/openssh/patch/series +++ b/src/openssh/patch/series @@ -1 +1,2 @@ 0001-Put-style-as-line-number-to-ssh-session-environment-.patch +0002-Revert-commit-69334996-make-sshd_config-ClientAliveC.patch